Software has bugs, quite commonly in libraries that are created by third-party developers. Unfortunately, a bug in any library enables attackers to take control of an application. Furthermore, since popular libraries are used across thousands of applications, these libraries become a high-leverage target for attackers. This work improves the security of software by stopping bugs in one library from impacting other portions of the application. This makes it much more difficult for attackers to compromise software and harm users. This work builds a novel mechanism that can take legacy programs and convert them into a series of components that are isolated into different domains called cages. Cages are isolated from each other in a way that is similar to how operating system virtual machines are isolated. Each cage may have its own file system and network interface, and may handle system calls in a different manner. This includes the potential for blocking system calls that should not be needed by a cage, for example to disable the network interface in libraries that do not need it. This isolation also includes resource and performance isolation for a specific cage, preventing a malicious or buggy library from crashing or harming an application. The team is working to not only develop a research prototype for the effort, but also to use this work to secure large software projects.
SaTC: CORE: Small: Better Software Security Through Caging